05 July 2010

SELinux other voices

The RHCE in channel of my last post complains I was too hard on him or her. Also that person points out they used a differing approach for building the new policy file, which permits more atomicity in maintaining several policies (here, sorting by daemon). While I invited reply by way of a formal post to that person, it appears that this is their 'final word' ("topic closed") on the matter. As such I note it here for those of you playing along at home:

grep vsftpd /var/log/audit/audit.log | \
   audit2allow -M vsftpd
semodule -i vsftpd.pp
vi vsftpd.te
checkmodule -M -m -o vsftpd.mod vsftpd.te
semodule_package -o vsftpd.pp -m vsftpd.mod
semodule -i vsftpd.pp

More information that is accurate is better than less. Clearly there are many paths to rule generation and maintenance. The takeaway remains: Use, and do not disable, SELinux

Thanks for the feedback